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"Express Mail" Mailing Label No. EL436467793US 



PATENT APPLICATION 
ATTORNEY DOCKET NO. NAOO-13501 

METHOD AND APPARATUS FOR 
FACILITATING SECURE ANONYMOUS 
EMAIL RECIPIENTS 

Inventor: William F. Price III 



BACKGROUND 

Field of the Invention 

The present invention relates to computer security and electronic mail. 
More specifically, the present invention relates to a method and an apparatus for 
facilitating transmission of an encrypted electronic mail message to anonymous 
recipients without divulging the identities of the anonymous recipients. 

Related Art 

The advent of computer networks has led to an explosion in the 
development of applications that facilitate rapid dissemination of information. In 
particular, electronic mail (email) is becoming the predominant method for 
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comtnimicating textual and other non-voice information. Using email, it is just as 
easy to send a message to a recipient on another continent as it is to send a 
message to a recipient within the same building. Furthermore, an email message 
typically takes only minutes to arrive, instead of the days it takes for conventional 
5 mail to snake its way along roads and through airports. 

One problem with email is that it is hard to ensure that sensitive 
information sent through email is kept confidential. This is because an email 
message can potentially traverse many different computer networks and many 
different computer systems before it arrives at its ultimate destination. An 

10 adversary can potentially intercept an email message at any of these intermediate 
points along the way. 

One way to remedy this problem is to "encrypt" sensitive data using an 
encryption key so that only someone who possesses a corresponding decryption 
key can decrypt the message. (Note that for commonly used symmetric 

15 encryption mechanisms the encryption key and the decryption key are the same 
key.) A person sending sensitive data through email can encrypt the sensitive data 
using the encryption key before it is sent through email. At the other end, the 
recipient of the email can use the corresponding decryption key to decrypt the 
sensitive information. 

20 Encryption works well for a message sent to a single recipient. However, 

encryption becomes more complicated for a message sent to multiple recipients. 

This is because encryption keys must be managed between the sender and the 

multiple recipients. 

Conventional mail protocols, such as the Pretty Good Privacy (PGP) 
25 protocol, send mail to multiple recipients by encrypting a message with a session 

key (that is randomly selected for the message) to form an encrypted message. 

The session key is then encrypted with the public key of each of the recipients to 
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form a set of encrypted keys. This set of encrypted keys is sent with the encrypted 
message to all of the recipients. Each recipient uses one of its private keys to 
decrypt an encrypted session key and then uses the session key to decrypt the 
encrypted message. 

5 Note that key identifiers for the public keys that were used to encrypt the 

encrypted session keys are sent along with the encrypted session keys, so that each 

recipient can determine whether or not the recipient possesses a corresponding 

private key that can decrypt the encrypted session key. These identifiers are 

typically generated by computing as a hash of the public key. 
10 Unfortunately, the key identifiers can also identify a recipient of an email 

message to other recipients of the email message. This complicates the process of 

sending an encrypted email message to anonymous recipients, because the 

recipients of the email message can determine the identities of the anonymous 

recipients by examining the key identifiers for the anonymous recipients. 
1 5 What is needed is a method and an apparatus for facilitating transmission 

of encrypted email to anonymous recipients without divulging the identities of the 

anonymous recipients. 

SUMMARY 

20 One embodiment of the present invention provides a system that facilitates 

secure transmission of an email message to anonymous recipients without 
divulging the identities of the anonymous recipients. This system constructs an 
email message by identifying recipients of the email message. These recipients 
can include known recipients, who can be identified by examining the email 

25 message, and anonymous recipients, who cannot be identified by examining the 
email message. The system also generates a session key for the email message, 
and encrypts a body of the email message with the session key. The system also 
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creates a recipient block for the email message that contains an entry for each 
recipient of the email message. Each entry in this recipient block contains the 
session key encrypted with a public key associated with the recipient to form an 
encrypted session key, so that only a corresponding private key held by the 
5 recipient can be used to decrypt the encrypted session key. Each entry 

additionally contains an identifier for the associated public key, so that each 
recipient can determine whether the recipient possesses a corresponding private 
key that can decrypt the encrypted session key. These identifiers are constructed 
so that identifiers for public keys belonging to known recipients are statistically 

1 0 unique, and identifiers for public keys belonging to anonymous recipients are not 
statistically unique. Finally, the system sends the email message to the recipients. 

In one embodiment of the present invention, identifiers for public keys 
belonging to anonymous recipients provide only enough information to exclude a 
large percentage of all possible corresponding private keys fi-om being able to 

1 5 decrypt the body of the email message. 

In one embodiment of the present invention, an identifier for a public key 
is formed by creating a hash of the public key. 

In one embodiment of the present invention, an identifier for a public key 
belonging to an anonymous recipient is additionally modified so the identifier is 

20 not statistically unique. In this way, the identifier cannot be used to uniquely 
identify the anonymous recipient. However, a recipient can use the identifier to 
exclude a large percentage of all possible corresponding public keys held by the 
recipient fi"om matching the identifier. 

In one embodiment of the present invention, prior to encrypting the body 

25 of the email message, the system includes a checksum into the body of the email 
message, so that a recipient can examine the checksum to verify that the correct 
private key was used in decrypting the email message. 
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One embodiment of the present invention provides a system that faciUtates 
secure transmission of an email message to anonymous recipients without 
divulging the identities of the anonymous recipients. This system operates by 
receiving the email message at a recipient. This email message includes a 

5 message body that has been encrypted with a session key. It also includes a 
recipient block that contains an entry for each recipient of the email message. 
Each of these entries contains the session key encrypted with a public key 
associated with the recipient to form an encrypted session key. Each entry 
additionally contains an identifier for the associated public key, wherein 

10 identifiers for public keys belonging to known recipients are statistically unique, 
and identifiers for public keys belonging to anonymous recipients are not 
statistically unique. Next, the system attempts to match a candidate public key 
held by the recipient with key identifier in the recipient block. If the candidate 
public key matches a key identifier, the system decrypts the associated encrypted 

1 5 session key using an associated private key to restore the session key, and then 
decrypts the message body using the session key. The system then examines a 
checksum in the message body to verify that message body was correctly 
decrypted. 



20 BRIEF DESCRIPTION OF THE FIGURES 

FIG. 1 illustrates the transmission of an email message firom a sender to 
recipients across a network in accordance with an embodiment of the present 
invention. 

FIG. 2 illustrates the structure of an encrypted email message in 
25 accordance with an embodiment of the present invention. 
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FIG. 3 is a flow chart illustrating the process of generating an encrypted 
email message at a sender in accordance with an embodiment of the present 
invention. 

FIG. 4 is a flow chart illustrating the process of decrypting an encrypted 
5 email message at a recipient in accordance with an embodiment of the present 
invention. 

DETAILED DESCRIPTION 

The following description is presented to enable any person skilled in the 
10 art to make and use the invention, and is provided in the context of a particular 
application and its requirements. Various modifications to the disclosed 
embodiments will be readily apparent to those skilled in the art, and the general 
principles defined herein may be applied to other embodiments and applications 
without departing from the spirit and scope of the present invention. Thus, the 
1 5 present invention is not intended to be limited to the embodiments shown, but is 
to be accorded the widest scope consistent with the principles and features 
disclosed herein. 

The data structures and code described in this detailed description are 
typically stored on a computer readable storage medium, which may be any device 

20 or medium that can store code and/or data for use by a computer system. This 
includes, but is not Umited to, magnetic and optical storage devices such as disk 
drives, magnetic tape, CDs (compact discs) and DVDs (digital versatile discs or 
digital video discs), and computer instruction signals embodied in a transmission 
medium (with or without a carrier wave upon which the signals are modulated). 

25 For example, the transmission medium may include a communications network, 
such as the Internet. 
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Transmission of Email Message 

FIG. 1 illustrates the transmission of an email message 104 from a sender 
102 to recipients 108-1 10 across a network 106 in accordance with an 
embodiment of the present invention. Network 106 can include any type of wire 
5 or wireless communication channel capable of coupling together computing 
nodes. This includes, but is not limited to, a local area network, a wide area 
network, or a combination of networks. In one embodiment of the present 
invention, network 106 includes the Internet. 

Sender 102 can include any type of computing system that can send an 
1 0 email message, while recipients 1 08- 110 can include any type of computing 
systems that can receive an email message. 

Recipients 108-1 10 hold private keys 1 12-1 14, respectively. These private 
keys 112-114 enable recipients 108-1 10 to decrypt email messages that have been 
encrypted wdth corresponding pubUc keys. 
1 5 Note that knowledge of a public key cannot be used to decrypt a message 

encrypted with the public key. The corresponding private key must be used, and 
this private key is typically kept in secrecy by recipients 108-1 10. 

The system illustrated in FIG. 1 operates generally as follows. Sender 102 
produces an email message, the body of which is encrypted with a session key. 
20 This session key is encrypted with the public key of each of the recipients. Next, 
the encrypted message and the encrypted session key are sent to recipients 108- 
110 across network 106. Recipients 108-1 10 use their private keys 1 12-1 14 to 
decrypt the encrypted session key, and then use the session key to decrypt the 
body of the email message, 

25 
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Structure of Email Message 

FIG. 2 illustrates the structure of an encrypted email message 104 in 
accordance with an embodiment of the present invention. Email message 104 
includes an encrypted message body 206 containing information to be 
5 communicated to from sender 1 02 to recipients 108-11 0. Encrypted message 
body 206 is created by first producing a checksum (otherwise known as a hash or 
a message digest) of the message body and then encrypting the message body with 
a session key. This session key can be randomly generated by the sender for the 
message, 

10 Email message 104 also includes a recipient block 204 containing an entry 

for each recipient of email message 104. In FIG. 2, recipient block 204 contains 
three entries 220-222 for each of three recipients 108-1 10 of email message 104. 

Each entry contains an encrypted session key and a key ID. More 
specifically: entry 220 contains encrypted session key 214 and key ID 210; entry 

1 5 221 contains encrypted session key 216 and key ID 21 1 ; and entry 222 contains 
encrypted session key 218 and key ID 212. 

Each encrypted session key is formed by encrypting the session key for the 
message with a public key belonging to a recipient so that the encrypted session 
key can be decrypted with a corresponding private key of the recipient. For 

20 example, if entry 220 is for recipient 108, encrypted session key 214 is formed by 
encrypting the session key with a public key belonging to recipient 108. This 
enables recipient 108 to decrypt the encrypted session key with a corresponding 
private key held by recipient 108. 

Each key ID is formed by taking a hash of the public key that was used to 

25 encrypt the associated encrytped session key. For example, if entry 220 

corresponds to recipient 108, key ID 210 is formed by taking a hash of the public 
key for recipient 108. Key ID 210 can then be used by recipient 108 to determine 
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whether recipient 108 possesses the corresponding private key within private keys 
1 12 to decrypt encrypted session key 214. 

Note that key ID 210 is typically long, for example 64 bits. This ensures 
that key ID 210 is statistically imique - although uniqueness cannot be guaranteed 

5 because there exists an almost non-existent probability that two different public 
keys will result in the same 64-bit hash. 

Entry 222 corresponds to an anonymous recipient 110, who cannot be 
identified by examining the email message. In order to protect the identity of 
anonymous recipient 110, key ED 212 is truncated to a small number of bits; for 

10 example, three to six bits. In this way, key ID 212 cannot be used to uniquely 
identify anonymous recipient 110. However, anonymous recipient 110 can use 
the key identifier 212 to exclude a large percentage of all possible corresponding 
private keys 114 held by recipient 110 from matching the identifier. Hence, if 
anonymous recipient 110 possesses a private key to decrypt encrypted session key 

15 218, anonymous recipient 110 must try at most a small number of its private keys 
to determine if it possesses the proper private key. Without truncated key ID 212, 
anonymous recipient 1 10 may potentially have to try all of its private keys 1 14. 



Process of Generating an Encrypted Email Message 

20 FIG. 3 is a flow chart illustrating the process of generating an encrypted 

email message 104 at sender 102 in accordance with an embodiment of the 
present invention. The system starts by identifying recipients of email message 
104 (step 302). These recipients can include known recipients, who can be 
identified by examining the email message, and anonymous recipients, who 

25 cannot be identified by examining the email message. The system also generates 
a session key for the email message (step 304). This session key can be generated 
randomly by sender 102. 
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The system additionally generates checksum 208 for the email message 
body using some type of hashing mechanism (step 306). The system then 
encrypts the message body and the checksum to form encrypted message body 
206 (step 308). 

5 The system also creates recipient block 204 for email message 104 (step 

3 10). Each of the entries 220-222 in recipient block 204 contain the session key 
encrypted with a public key associated with the corresponding recipient to form an 
encrypted session key. This ensures that only a corresponding private key held by 
the recipient can be used to decrypt the encrypted session key. 

10 Each entry additionally contains an identifier for the associated public key, 

so that each recipient can determine whether the recipient possesses a 
corresponding private key that can decrypt the encrypted session key. These 
identifiers are constructed so that identifiers for public keys belonging to known 
recipients are statistically unique, for example by using a hashing mechanism. 

1 5 Identifiers for public keys belonging to anonymous recipients are modified so that 
they are not statistically unique; for example by truncating the hash to a small 
number of bits. Finally, the system sends the email message to the recipients (step 
312). 

20 Process of Decrypting an Encrypted Email Message 

FIG, 4 is a flow chart illustrating the process of decrypting an encrypted 
email message 104 at a recipient 110 in accordance with an embodiment of the 
present invention. Recipient 110 starts by receiving email message 104 generated 
by sender 102 (step 402). Next, recipient 110 attempts to match key IDs 210-212 

25 (fi-om recipient block 204 in email message 104) with public keys corresponding 
to the private keys 114 held by recipient 110 (step 404). 
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If a public key matches a key ID, for example say a public key held by 
recipient 110 matches truncated key ID 212, recipient 110 decrypts the 
corresponding encrypted session key 218 with the private key corresponding to 
the matching public key. This restores the session key. Recipient 110 then 

5 decrypts encrypted message body 206 using the restored session key, and then 
verifies that the checksum 208 is properly formed from the message body (step 
406). Verifying the checksum additionally verifies that the proper private key was 
used to restore the session key. 

If more than one public key held by recipient 1 10 matches a key ID in 

1 0 recipient block 204, recipient 110 may have to repeat this decryption and 
verification process for more than one public key. 

The foregoing descriptions of embodiments of the invention have been 
presented for purposes of illustration and description only. They are not intended 
to be exhaustive or to limit the present invention to the forms disclosed. 

1 5 Accordingly, many modifications and variations will be apparent to practitioners 
skilled in the art. Additionally, the above disclosure is not intended to limit the 
present invention. The scope of the present invention is defined by the appended 
claims. 
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What Is Claimed Is; 

1 A method for facilitating secure transmission of an email message 

2 to anonymous recipients without divulging the identities of the anonymous 

3 recipients, comprising: 

4 identifying recipients of the email message, wherein the recipients can 

5 include known recipients, who can be identified by examining the email message, 

6 and anonymous recipients, who cannot be identified by examining the email 

7 message; 

8 generating a session key for the email message; 

9 encrypting a body of the email message with the session key; 

1 0 creating a recipient block for the email message that contains an entry for 

1 1 each recipient of the email message; 

1 2 wherein each entry in the recipient block contains the session key 

1 3 encrypted with a public key associated with the recipient to form an encrypted 

14 session key, so that only a corresponding private key held by the recipient can be 

1 5 used to decrypt the encrypted session key; 

16 wherein each entry additionally contains an identifier for the associated 

17 public key, so that each recipient can determine whether the recipient possesses 

1 8 the corresponding private key that can decrypt the encrypted session key; 

1 9 wherein identifiers for public keys belonging to known recipients are 

20 statistically unique; 

21 wherein identifiers for public keys belonging to anonymous recipients are 

22 not statistically unique; and 

23 sending the email message to the recipients. 
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1 2. The method of claim 1 , wherein identifiers for public keys 

2 belonging to anonymous recipients provide only enough information to exclude a 

3 large percentage of all possible corresponding private keys from being able to 

4 decrypt the body of the email message. 

1 3 . The method of claim 2, wherein an identifier for a public key is 

2 formed by creating a hash of the public key. 

1 4. The method of claim 3, wherein an identifier for a public key 

2 belonging to an anonymous recipient is additionally modified so the identifier is 

3 not statistically unique; 

4 whereby the identifier caimot be used to uniquely identify the anonymous 

5 recipient; and 

6 whereby a recipient can use the identifier to exclude a large percentage of 

7 all possible corresponding public keys held by the recipient fi-om matching the 

8 identifier. 

1 5 . The method of claim 1 , fiirther comprising, - encrypting the body 

2 of the email message, including a checksum into the body of the email message, 

3 so that a recipient can examine the checksum to verify that the correct private key 

4 was used in decrypting the email message. 

1 ^ A method for facilitating secure transmission of an email message 

2 to anonymous recipients without divulging the identities of the anonymous 

3 recipients, comprising: 

4 receiving the email message at a recipient, wherein the email message 

5 includes, 
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1 a message body that has been encrypted with a session key, 

2 a recipient block that contains an entry for each recipient of 

3 the email message, 

4 wherein each entry in the recipient block contains the 

5 session key encrypted with a public key associated with the 

6 recipient to form an encrypted session key, 

7 wherein each entry additionally contains an identifier for 

8 the associated pubUc key, 

9 wherein identifiers for public keys belonging to known 

10 recipients are statistically unique, and 

1 1 wherein identifiers for public keys belonging to anonymous 

1 2 recipients are not statistically unique; 

1 3 attempting to match a candidate public key held by the recipient with key 

14 identifier in the recipient block; 

1 5 if the candidate public key matches a key identifier, 

1 6 decrypting the associated encrypted session key using an 

1 7 associated private key to restore the session key, 

1 8 decrypting the message body using the session key, and 

1 9 examining a checksum in the message body to verify that 

20 message body was correctly decrypted. 

1 7. The method of claim 6, wherein identifiers for public keys 



2 belonging to anonymous recipients provide only enough information to exclude a 

3 large percentage of all possible corresponding private keys from being able to 

4 decrypt the message body of the email message. 
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8. The method of claim 7, wherein an identifier for a pubhc key is 
formed by creating a hash of the pubUc key. 



1 9. The method of claim 8, wherein an identifier for a public key 

2 belonging to an anonymous recipient is additionally modified so the identifier is 

3 not statistically unique; 

4 whereby the identifier caimot be used to uniquely identify the anonymous 

5 recipient; and 

6 whereby a recipient can use the identifier to exclude a large percentage of 

7 all possible public keys belonging to the recipient fi:om matching the identifier. 

1 A computer-readable storage medium storing instructions that 

2 when executed by a computer cause the computer to perform a method for 

3 facilitating secure transmission of an email message to anonymous recipients 

4 without divulging the identities of the anonymous recipients, the method 

5 comprising: 

6 identifying recipients of the email message, wherein the recipients can 

7 include known recipients, who can be identified by examining the email message, 

8 and anonymous recipients, who cannot be identified by examining the email 

9 message; 

1 0 generating a session key for the email message; 

1 1 encrypting a body of the email message with the session key; 

12 creating a recipient block for the email message that contains an entry for 

1 3 each recipient of the email message; 

14 wherein each entry in the recipient block contains the session key 

1 5 encrypted with a public key associated with the recipient to form an encrypted 
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1 6 session key, so that only a corresponding private key held by the recipient can be 

1 7 used to decrypt the encrypted session key; 

1 8 wherein each entry additionally contains an identifier for the public key, so 

1 9 that each recipient can determine whether the recipient possesses the 

20 corresponding private key that can decrypt the encrypted session key; 

21 wherein identifiers for public keys belonging to known recipients are 

22 statistically unique; 

23 wherein identifiers for public keys belonging to anonymous recipients are 

24 not statistically unique; and 

25 sending the email message to the recipients. 

1 1 L The computer-readable storage medium of claim 1 0 , wherein 

2 identifiers for public keys belonging to anonymous recipients provide only enough 

3 information to exclude a large percentage of all possible corresponding private 

4 keys fi*om being able to decrypt the body of the email message. 

1 12. The computer-readable storage medium of claim 1 1 , wherein an 

2 identifier for a public key is formed by creating a hash of the public key. 

1 13. The computer-readable storage medium of claim 12, wherein an 

2 identifier for a public key belonging to an anonymous recipient is additionally 

3 modified so the identifier is not statistically xmique; 

4 whereby the identifier cannot be used to uniquely identify the anonymous 

5 recipient; and 

6 whereby a recipient can use the identifier to exclude a large percentage of 

7 all possible public keys belonging to the recipient from matching the identifier. 
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1 1 4. The computer-readable storage medium of claim 1 0, wherein prior 

2 to encrypting the body of the email message, the method further comprises 

3 including a checksum into the body of the email message, so that a recipient can 

4 examine the checksum to verify that the correct private key was used in 

5 decrypting the email message. 

1 y/^ A computer-readable storage medium storing instructions that 

2 when executed by a computer cause the computer to perform a method for 

3 facilitating secure transmission of an email message to anonymous recipients 

4 without divulging the identities of the anonymous recipients, the method 

5 comprising: 

6 receiving the email message at a recipient, wherein the email message 

7 includes, 

8 a message body that has been encrypted with a session key, 

9 a recipient block that contains an entry for each recipient of 

1 0 the email message, 

1 1 wherein each entry in the recipient block contains the 

1 2 session key encrypted with a public key associated with the 

1 3 recipient to form an encrypted session key, 

14 wherein each entry additionally contains an identifier for 

1 5 the associated public key, 

1 6 wherein identifiers for public keys belonging to known 

1 7 recipients are statistically unique, and 

1 8 wherein identijBers for pubUc keys belonging to anonymous 

1 9 recipients are not statistically unique; 

20 attempting to match a candidate public key held by the recipient with key 

2 1 identifier in the recipient block; 
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1 if the candidate public key matches a key identifier, 

2 decrypting the associated encrypted session key using an 

3 associated private key to restore the session key, 

4 decrypting the message body using the session key, and 

5 examining a checksum in the message body to verify that 

6 message body was correctly decrypted. 

1 16. The computer-readable storage medium of claim 15, wherein 

2 identifiers for public keys belonging to anonymous recipients provide only enough 

3 information to exclude a large percentage of all possible corresponding private 

4 keys from being able to decrypt the message body of the email message. 

1 17. The computer-readable storage medium of claim 16, wherein an 

2 identifier for a pubUc key is formed by creating a hash of the public key. 

1 18. The computer-readable storage medium of claim 1 7, wherein an 

2 identifier for a public key belonging to an anonymous recipient is additionally 

3 modified so the identifier is not statistically unique; 

4 whereby the identifier cannot be used to uniquely identify the anonymous 

5 recipient; and 

6 whereby a recipient can use the identifier to exclude a large percentage of 

7 all possible public keys belonging to the recipient fi-om matching the identifier. 

1 An apparatus that facilitates secure transmission of an email 

2 message to anonymous recipients without divulging the identities of the 

3 anonymous recipients, comprising: 
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4 an identifying mechanism that is configured to identify recipients of the 

5 email message, wherein the recipients can include known recipients, who can be 

6 identified by examining the email message, and anonymous recipients, who 

7 cannot be identified by examining the email message; 

8 a key generation mechanism that is configured to generate a session key 

9 for the email message; 

10 an encryption mechanism that is configured to encrypt a body of the email 

1 1 message with the session key; 

1 2 a recipient block creation mechanism that is configured to create a 

1 3 recipient block for the email message that contains an entry for each recipient of 

14 the email message; 

1 5 wherein each entry in the recipient block contains the session key 

1 6 encrypted with a public key associated with the recipient to form an encrypted 

17 session key, so that only a corresponding private key held by the recipient can be 

1 8 used to decrypt the encrypted session key; 

1 9 wherein each entry additionally contains an identifier for the associated 

20 public key, so that each recipient can determine whether the recipient possesses 

2 1 the corresponding private key that can decrypt the encrypted session key; 

22 wherein identifiers for public keys belonging to known recipients are 

23 statistically unique ; 

24 wherein identifiers for pubUc keys belonging to anonymous recipients are 

25 not statistically unique; and 

26 a sending mechanism that is configured to send the email message to the 

27 recipients. 

1 20. The apparatus of claim 19, wherein identifiers for public keys 

2 belonging to anonymous recipients provide only enough information to exclude a 
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3 
4 



large percentage of all possible corresponding public keys from being able to 
decrypt the body of the email message. 



1 21 . The apparatus of claim 20, wherein an identifier for a public key is 

2 a hash of the public key. 

1 22. The apparatus of claim 2 1 , wherein the recipient block creation 

2 mechanism is additionally configured to modify an identifier for a public key 

3 belonging to an anonymous recipient so the identifier is not statistically unique; 

4 whereby the identifier cannot be used to uniquely identify the anonymous 

5 recipient; and 

6 whereby a recipient can use the identifier to exclude a large percentage of 

7 all possible public keys held by the recipient from matching the identifier. 

1 23. The apparatus of claim 19, fiirther comprising a checksum 

2 mechanism that, wherein prior to encrypting the body of the email message, the 

3 checksum mechanism is configured to include a checksum into the body of the 

4 email message, so that a recipient can examine the checksum to verify that the 

5 correct private key was used in decrypting the email message. 

1 An apparatus that facilitates secure transmission of an email 

2 message to anonymous recipients without divulging the identities of the 

3 anonymous recipients, comprising: 

4 a receiving mechanism that is configured to receive the email message at a 

5 recipient, wherein the email message includes, 

6 a message body that has been encrypted with a session key, 
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1 a recipient block that contains an entry for each recipient of 

2 the email message, 

3 wherein each entry in the recipient block contains the 

4 session key encrypted with a public key associated with the 

5 recipient to form an encrypted session key, 

6 wherein each entry additionally contains an identifier for 

7 the associated public key, 

8 wherein identifiers for public keys belonging to known 

9 recipients are statistically unique, and 

10 wherein identifiers for public keys belonging to anonymous 

1 1 recipients are not statistically unique; 

12 a matching mechanism that is configured to attempt to match a candidate 

13 public key belonging to the recipient with key identifier in the recipient block; 

14 a decryption mechanism, wherein if the candidate public key matches a 

1 5 key identifier, the decryption mechanism is configured to, 

1 6 decrypt the associated encrypted session key using a 

17 corresponding private key to restore the session key, 

1 8 decrypt the message body using the session key, and to 

1 9 examine a checksum in the message body to verify that 

20 message body was correctly decrypted. 

1 25. The apparatus of claim 24, wherein identifiers for public keys 

2 belonging to anonymous recipients provide only enough information to exclude a 

3 large percentage of all possible corresponding private keys from being able to 

4 decrypt the message body of the email message. 
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1 26. The apparatus of claim 25, wherein an identifier for a pubUc key is 

2 a hash of the pubUc key. 

1 27. The apparatus of claim 26, wherein an identifier for a public key 

2 belonging to an anonymous recipient is additionally modified so the identifier is 

3 not statistically unique; 

4 whereby the identifier cannot be used to uniquely identify the anonymous 

5 recipient; and 

6 whereby a recipient can use the identifier to exclude a large percentage of 

7 all possible public keys belonging to the recipient from matching the identifier. 
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METHOD AND APPARATUS FOR 
FACILITATING SECURE ANONYMOUS 
EMAIL RECIPIENTS 

ABSTRACT 

One embodiment of the present invention provides a system that facilitates 
secure transmission of an email message to anonymous recipients without 
divulging the identities of the anonymous recipients. This system constructs an 
email message by identifying recipients of the email message. These recipients 
can include known recipients, who can be identified by examining the email 
message, and anonymous recipients, who cannot be identified by examining the 
email message. The system also generates a session key for the email message, 
and encrypts a body of the email message with the session key. The system also 
creates a recipient block for the email message that contains an entry for each 
recipient of the email message. Each entry in this recipient block contains the 
session key encrypted with a public key associated with the recipient to form an 
encrypted session key, so that only a corresponding private key held by the 
recipient can be used to decrypt the encrypted session key. Each entry 
additionally contains an identifier for the associated pubhc key, so that each 
recipient can determine whether the recipient possesses a corresponding private 
key that can decrypt the encrypted session key. These identifiers are constructed 
so that identifiers for pubUc keys belonging to known recipients are statistically 
unique, and identifiers for public keys belonging to anonymous recipients are not 
statistically unique. Finally, the system sends the email message to the recipients. 
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